Splunk Search

How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel
Communicator

For audit and performance reasons, I want to educate (force) my users to always explicitly provide the index(es) that they want to search.
First I have made sure that no default indexes are searched.

Secondly I would like to limit the searches. Can I limit searches that use wildcard in index?
E.g. index=* index=test* index=*test

I am aware that "Access Controls > Roles" has a "Restrict search terms" field, but I can't find any documentation or examples on what I want to do.

1 Solution

lassel
Communicator

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

View solution in original post

lassel
Communicator

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

lassel
Communicator

Can somebody confirm if what I want is impossible?

I conclude that it is impossible using "Restrict search terms", but is there another way?

0 Karma

stephane_cyrill
Builder

Hi, it is simple,just create a role for these users and make a restriction on these search terms (index =........).

to do it in splunk web:

setting > access control > roles >add new
under search restrictions, put what you want to be restricted (index= index=test OR index=*test)

Do not forget to specify to whom the role should be apply.

0 Karma

stephane_cyrill
Builder

I'm not sure we can use regex, the error you have ,was is not the goal( to hinder a user to do such a search?)

If the usage of wildcard * is more global than wath you want, try to list precise search terms.Read the note under the text box of SEARCH TERMS RESTRICTION.

0 Karma

lassel
Communicator

From the administration page:

Search restrictions
Restrict the scope of searches run by this role. Search results for this role will only show events that also match this search string.

Can include source, host, index (can be set below), eventtype, sourcetype, search fields, , and OR and AND. Example: "`host=web OR source=/var/log/*`"

It seems like it is impossible to limit user queries that way I want to. Naming the precise search terms is very hard and impossible to administrate when I add new indexes. Besides. Given enough valid queries, the user can still run the wildcard queries, that I wish to limit.

Is there any other way to limit queries?

0 Karma

lassel
Communicator

Thank you for your answer.

Can I use regular expressions in search restrictions?

Also will your restriction limit a user that searches on "index=foo OR index=bar*"?

0 Karma

lassel
Communicator

I want to limit queries that match:
index=[^*]+

0 Karma

lassel
Communicator

Doing that gives me an error on every search like this:
Error in 'SearchParser': Missing a search command before '^'. Error at position '46' of search query 'litsearch ( index=splunktest abc ) ( ( index=[^*]+'.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...